Merge pull request #104 from damienbod/update/azure-certificate-management

Azure Key Vault management update

Author: damienbod

Changelog.md

@@ -2,6 +2,9 @@
 
 [Readme](https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate/blob/master/README.md) 
 
+2021-01-19 5.1.0
+- Switched to Azure.Extensions.AspNetCore.Configuration.Secrets and Azure.Identity for the Azure Key Vault management
+
 2021-01-07 5.0.5
 - Updated nuget packages 3.1.10
 - Updated npm packages

README.md

@@ -85,6 +85,7 @@ Use the `-n` or `--name` parameter to change the name of the output created. Thi
 - Update the claims in the IdentityWithAdditionalClaimsProfileService
 - Add the security headers as required, CSP, IFrame, XSS, HSTS, ...
 - If you deploy in a multi instance environment, add the session data to a database using the IdentityServer4.EntityFramework NuGet package
+- Add "AZURE_TENANT_ID": "your-tenandId" to the launch settings to test in VS with Azure Key Vault certificates
 
 ### uninstall
 

content/IdentityServer4AspNetCoreIdentityTemplate.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2012/06/nuspec.xsd">
 	<metadata>
 		<id>IdentityServer4AspNetCoreIdentityTemplate</id>
-		<version>5.0.6</version>
+		<version>5.1.0</version>
 		<title>IdentityServer4.Identity.Template</title>
 		<license type="file">LICENSE</license>
 		<description>
@@ -17,7 +17,7 @@
 		<requireLicenseAcceptance>false</requireLicenseAcceptance>
 		<copyright>2020 damienbod</copyright>
 		<summary>This template provides a simle getting started for IdentityServer4 with Identity. Identity is Localized and the UI uses Bootstrap 4, Remove AllowAnonymous from the logout</summary>
-		<releaseNotes>Updated nuget packages 3.1.9, updated npm packages</releaseNotes>
+		<releaseNotes>Switched to Azure.Extensions.AspNetCore.Configuration.Secrets and Azure.Identity for the Azure Key Vault management</releaseNotes>
 		<repository type="git" url="https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate" />
 		<packageTypes>
 			<packageType name="Template" />

content/StsServerIdentity/Program.cs

@@ -1,7 +1,6 @@
 using System;
-using Microsoft.AspNetCore;
+using Azure.Identity;
 using Microsoft.AspNetCore.Hosting;
-using Microsoft.Azure.KeyVault;
 using Microsoft.Azure.Services.AppAuthentication;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Hosting;
@@ -48,9 +47,7 @@ public static IHostBuilder CreateHostBuilder(string[] args) =>
                     if (!string.IsNullOrEmpty(keyVaultEndpoint))
                     {
                         var azureServiceTokenProvider = new AzureServiceTokenProvider();
-                        var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
-
-                        config.AddAzureKeyVault(keyVaultEndpoint);
+                        config.AddAzureKeyVault(new Uri(keyVaultEndpoint), new DefaultAzureCredential());
                     }
                     else
                     {

content/StsServerIdentity/Services/Certificate/CertificateService.cs

@@ -1,4 +1,8 @@
-using System.Security.Cryptography.X509Certificates;
+using Azure.Identity;
+using Azure.Security.KeyVault.Certificates;
+using Azure.Security.KeyVault.Secrets;
+using System;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 
 namespace StsServerIdentity.Services.Certificate
@@ -21,11 +25,20 @@ public static class CertificateService
             {
                 if (!string.IsNullOrEmpty(certificateConfiguration.KeyVaultEndpoint))
                 {
+                    var credential = new DefaultAzureCredential();
                     var keyVaultCertificateService = new KeyVaultCertificateService(
                             certificateConfiguration.KeyVaultEndpoint,
                             certificateConfiguration.CertificateNameKeyVault);
 
-                    certs = await keyVaultCertificateService.GetCertificatesFromKeyVault().ConfigureAwait(false);
+                    var secretClient = new SecretClient(
+                        vaultUri: new Uri(certificateConfiguration.KeyVaultEndpoint),
+                        credential);
+
+                    var certificateClient = new CertificateClient(
+                        vaultUri: new Uri(certificateConfiguration.KeyVaultEndpoint),
+                        credential);
+
+                    certs = await keyVaultCertificateService.GetCertificatesFromKeyVault(secretClient, certificateClient).ConfigureAwait(false);
                 }
             }
 

content/StsServerIdentity/Services/Certificate/KeyVaultCertificateService.cs

@@ -3,8 +3,8 @@
 using System.Linq;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
-using Microsoft.Azure.KeyVault;
-using Microsoft.Azure.KeyVault.Models;
+using Azure.Security.KeyVault.Certificates;
+using Azure.Security.KeyVault.Secrets;
 using Microsoft.Azure.Services.AppAuthentication;
 
 namespace StsServerIdentity.Services.Certificate
@@ -25,46 +25,57 @@ public KeyVaultCertificateService(string keyVaultEndpoint, string certificateNam
             _certificateName = certificateName; // certificateName
         }
 
-        public async Task<(X509Certificate2 ActiveCertificate, X509Certificate2 SecondaryCertificate)> GetCertificatesFromKeyVault()
+        public async Task<(X509Certificate2 ActiveCertificate, X509Certificate2 SecondaryCertificate)> GetCertificatesFromKeyVault(
+            SecretClient secretClient, CertificateClient certificateClient)
         {
-            (X509Certificate2 ActiveCertificate, X509Certificate2 SecondaryCertificate) certs = (null, null);
-            var azureServiceTokenProvider = new AzureServiceTokenProvider();
-            var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
+            (X509Certificate2 ActiveCertificate, X509Certificate2 SecondaryCertificate) certs = (null, null);
 
-            var certificateItems = await GetAllEnabledCertificateVersionsAsync(keyVaultClient);
+            var certificateItems = GetAllEnabledCertificateVersions(certificateClient);
             var item = certificateItems.FirstOrDefault();
             if (item != null)
             {
-                certs.ActiveCertificate = await GetCertificateAsync(item.Identifier.Identifier, keyVaultClient);
+                certs.ActiveCertificate = await GetCertificateAsync(
+                    secretClient, _certificateName, item.Version);
             }
 
             if (certificateItems.Count > 1)
             {
-                certs.SecondaryCertificate = await GetCertificateAsync(certificateItems[1].Identifier.Identifier, keyVaultClient);
+                certs.SecondaryCertificate = await GetCertificateAsync(
+                    secretClient, _certificateName, certificateItems[1].Version);
             }
 
             return certs;
         }
 
-        private async Task<List<CertificateItem>> GetAllEnabledCertificateVersionsAsync(KeyVaultClient keyVaultClient)
-        {
-            // Get all the certificate versions (this will also get the currect active version
-            var certificateVersions = await keyVaultClient.GetCertificateVersionsAsync(_keyVaultEndpoint, _certificateName);
-
-            // Find all enabled versions of the certificate and sort them by creation date in decending order 
-            return certificateVersions
-              .Where(certVersion => certVersion.Attributes.Enabled.HasValue && certVersion.Attributes.Enabled.Value)
-              .OrderByDescending(certVersion => certVersion.Attributes.Created)
+        private List<CertificateProperties> GetAllEnabledCertificateVersions(
+            CertificateClient certificateClient)
+        {
+            var certificateVersions = certificateClient.GetPropertiesOfCertificateVersions(_certificateName);
+            var certificateItems = certificateVersions.ToList();
+
+            // Find all enabled versions of the certificate and sort them by creation date in decending order 
+            return certificateVersions
+              .Where(certVersion => certVersion.Enabled.HasValue && certVersion.Enabled.Value)
+              .OrderByDescending(certVersion => certVersion.CreatedOn)
               .ToList();
-        }
-
-        private async Task<X509Certificate2> GetCertificateAsync(string identitifier, KeyVaultClient keyVaultClient)
-        {
-            var certificateVersionBundle = await keyVaultClient.GetCertificateAsync(identitifier);
-            var certificatePrivateKeySecretBundle = await keyVaultClient.GetSecretAsync(certificateVersionBundle.SecretIdentifier.Identifier);
-            var privateKeyBytes = Convert.FromBase64String(certificatePrivateKeySecretBundle.Value);
-            var certificateWithPrivateKey = new X509Certificate2(privateKeyBytes, (string)null, X509KeyStorageFlags.MachineKeySet);
-            return certificateWithPrivateKey;
+        }
+
+        private async Task<X509Certificate2> GetCertificateAsync(
+            SecretClient secretClient,
+            string certName,
+            string version)
+        {
+            // Create a new secret using the secret client.
+            var secretName = certName;
+            KeyVaultSecret secret = await secretClient.GetSecretAsync(secretName, version);
+
+            var privateKeyBytes = Convert.FromBase64String(secret.Value);
+
+            var certificateWithPrivateKey = new X509Certificate2(privateKeyBytes,
+                (string)null,
+                X509KeyStorageFlags.MachineKeySet);
+
+            return certificateWithPrivateKey;
         }
 
     }

content/StsServerIdentity/StsServerIdentity.csproj

@@ -1,29 +1,31 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
   <PropertyGroup>
     <TargetFramework>netcoreapp3.1</TargetFramework>
-    <Version>5.0.6</Version>
+    <Version>5.1.0</Version>
     <Description>IdentityServer4 template with ASP.NET Core 3.1 and ASP.NET Core Identity</Description>
     <PackageProjectUrl>https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate</PackageProjectUrl>
     <PackageIconUrl>http://www.gravatar.com/avatar/61d005637f57b5c3da8ba662cf04a9d6.png</PackageIconUrl>
     <RepositoryUrl>https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate</RepositoryUrl>
     <PackageLicenseFile>LICENSE</PackageLicenseFile>
     <PackageTags>oidc identityserver4 identity aspnetcore</PackageTags>
-    <PackageReleaseNotes>Updated nuget packages 3.1.9, updated npm packages</PackageReleaseNotes>
+    <PackageReleaseNotes>Switched to Azure.Extensions.AspNetCore.Configuration.Secrets and Azure.Identity for the Azure Key Vault management</PackageReleaseNotes>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.1.0" />
+    <PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.0.2" />
+    <PackageReference Include="Azure.Identity" Version="1.3.0" />
+    <PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.1.0" />
+    <PackageReference Include="Microsoft.Azure.Services.AppAuthentication" Version="1.6.0" />
     <PackageReference Include="BuildBundlerMinifier" Version="3.2.449" />
     <PackageReference Include="IdentityServer4" Version="4.1.1" />
     <PackageReference Include="IdentityServer4.AspNetIdentity" Version="4.1.1" />
-    <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="3.1.10" />
-    <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="3.1.10" />
-    <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="3.1.10" />
-    <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="3.1.10">
+    <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="3.1.11" />
+    <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="3.1.11" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="3.1.11" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="3.1.11">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.Extensions.Configuration.AzureKeyVault" Version="3.1.10" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="3.1.10" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="3.1.11" />
     <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="3.1.4" />
     <PackageReference Include="Newtonsoft.Json" Version="12.0.3" />
     <PackageReference Include="Remotion.Linq" Version="2.2.0" />
@@ -36,7 +38,7 @@
     <PackageReference Include="Serilog.Sinks.Console" Version="3.1.1" />
     <PackageReference Include="Serilog.Sinks.File" Version="4.1.0" />
     <PackageReference Include="Fido2" Version="1.1.0" />
-    <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="3.1.10" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="3.1.11" />
   </ItemGroup>
 
   <ItemGroup>